FiFo.sh Calendar

This article is still a work in progress, more chapters will be added during the following days.

During the last couple of weeks I’ve been working on getting a central directory setup for my client, running on OpenLDAP 2.4. Not having worked with LDAP a lot before it proved quite a challenge, especially getting Solaris 10 to work with the LDAP server without any glitches.
In this document I’ll try and describe how this setup was made, because I have been unable to find a single consistent document describing all the intricate details.
At this time I have all my problems fixed (AFAIK), but during the setup phase I experienced various problems:

Solaris 10 not seeing any users from LDAP

Solaris seeing users, but not letting them log in

Log-in working from console, but not ssh

Passwordless login (pubkey) not working in SUN-SSH

Users being able to hack extra permissions for themselves

etc…. etc….etc…

Document Information

Information that’s relevant for the LDAP server is in sections with background color light orange

Information that’s relevant for a Solaris 10 client is in sections with background color light purple

Information that’s relevant for a AIX 6.1 client is in sections with background color blue

Information that’s relevant for a Linux client is in sections with background color light yellow

Information against a white background is general information, or valid for multiple guest operating systems.

slapd.conf

This is an example config for <openldap-dir>/etc/slapd.conf

include /opt/openldap/etc/schema/core.schema
include /opt/openldap/etc/schema/cosine.schema
include /opt/openldap/etc/schema/nis.schema
include /opt/openldap/etc/schema/inetorgperson.schema
include /opt/openldap/etc/schema/solaris.schema
include /opt/openldap/etc/schema/duaconf.schema
include /opt/openldap/etc/schema/ppolicy.schema
include /opt/openldap/etc/schema/sudo.schema

Filling the LDAP Directory

Next step is to fill the LDAP directory with some starting content…
Below you will find an example ldif file that can be used to jumpstart your LDAP directory. It creates a test user, group and people entries, a skeleton sudo infrastructure, configuration profiles and a password policy template.

Configuring a Solaris 10 Client

If you have defined a profile in your LDAP tree, it should be quite easy to setup a LDAP client on a Solaris 10 system.
If you are using SSL or TLS with your server (you should), then you need to install the CA certificate first, so the server certificate can be checked.
certutil -N -d /var/ldap
certutil -A -d /var/ldap -n 'CA Name' -i /path/to/cacert.pem -a -t CT

First copy /etc/nsswitch.ldap to /etc/nsswitch.ldap.bak and /etc/nsswitch to /etc/nsswitch.bak

Edit /etc/nsswitch.ldap, making sure to change the entries for hosts and ipnodes to ‘files dns’

Using listusers you should be able to see the ldap accounts in your userlist.

Configuring PAM

Next step is configuring pam to allow people to actually log-in using ldap accounts, and have their passwords stored in LDAP. Sun-SSH uses seperate pam names for each authentication method, and the sshd-pubkey method has it’s own dedicated configuration.

Convert your cacert.pem file to a .kdb file using (java) gsk7ikm, and place it in /etc/security/ldap/your-ca.kdb

keydbpassword = the password you use in gsk7ikm to encrypt your keyring (mandatory)

password = the password used for the proxyagent

Lastly, If your AIX clients need to interoperate with Linux and Solaris clients, you need to tell AIX to store the password-age in days-since-epoch, as it defaults to seconds-since-epoch. Change /etc/security/ldap/2307aixuser.map:
lastupdate SEC_INT shadowlastchange s days

Configuring a RHEL Client

Configuring a Redhat Enterprise Linux Client is quite easy. It consists of the following steps:

Configuring Netgroups

Using the setup described above lets any ldap user with a valid account log in to any ldap-enabled client machine. This might not be what you want. Using netgroups is a method to limit ldap account visibility on a per system basis. Using netgroups you can specify what (groups of) users can login and use what systems.
Configuring netgroups consists of the following steps:

This example creates the Netgroup infrastructure, and populates it with 2 netgroups. The ‘App1’ netgroup would be used on systems where ‘App1’ would run. The ‘Admins’ netgroup is a group for the admins, and it’s included in the ‘App1’ netgroup. This way I only need to allow the App1 netgroup on that system, and it automatically includes the users from the ‘Admins’ netgroup.
To specify a user in a netgroup, use a ‘nisNetgroupTriple’ where the value is: ‘(‘, <hostname>, <username>, <domainname>, ‘)’. All fields are optional and can be left out. In our case, we’re mostly interested in the ‘username’ field, so the entries look like ‘(,username,)’.
A netgroup can include another netgroup using ‘memberNisNetgroup: netgroupname’.

Solaris: Changing nsswitch.conf

We will be using the ‘compat’ support for netgroups, so we need to change the ‘passwd’ entry in /etc/nsswitch.conf from:
passwd: files ldap

to
passwd: compat
passwd_compat: ldap

We are telling the nss system to use ‘compat’ (instead of the default files or ldap), and telling it that the database that it should check for NIS entries is ldap (default would be YP)

Allowing netgroups

Every netgroup you want to allow on the system needs to be included in the /etc/passwd file. Make sure you use the correct format, otherwise you will not be able to login.

For Solaris this format needs to be:
+@netgroupname:x:::::
+@othernetgroup:x:::::

If you only add ‘+@netgroupname’ things seem to work, you can see the accounts with ‘listusers’ and even ‘su’ to them, however you still can’t login with these accounts. If you add the entry as specified above, and then run ‘pwconv’ the entry will be copied to ‘/etc/shadow’ in the correct format and you should then be able to login with netgroup-listed accounts.

For AIX you can just specify the simpler:
+@netgroupname
+@othernetgroup

It’s recomendable to create dedicated netgroups for any system or group of systems that have their own user limitations. It’s also a good idea to include the ‘admin’ netgroup in any netgroup you create or explicitly include it on every system.

Creating home directories

Linux and AIX have PAM modules to create a home directory for a user if one doesn’t exist. Solaris sadly doesn’t have a PAM module for this (and I couldn’t get the linux module working for solaris).

The Linux PAM module is pam_mkhomedir. You can include it in your PAM stack as follows:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

The AIX PAM module is called pam_mkuserhome, however, I have not been able to get it to create an actual directory in my experiments. Since I already need to have a work-around for Solaris I used this method for AIX as well.

[url=http://www.almidatekstil.com/images/kontakt.asp?UrunID=404-Levitra-France-Prix-Viagra-Pas-Cher-Viagra-Pour-Femme-Au-Maroc]Levitra France Prix[/url]
Uninsured motorist coverage includes injuries triggered to you and your travellers within your car that are generated by uninsured or hit-and-operate car owners. It is a great benefit simply because approximately 30 % of motorists can be driving without being insured at any time. This way , you won’t be positioning the handbag for your charge accrued by way of a neglectful and uninsured car owner.
[url=http://www.tmadagitim.com/images/power.asp?g=361-Viagra-Switzerland-Online-Generique-Cialis-En-France-Viagra-100mg-Pas-Cher]Viagra Switzerland Online[/url]
There is not any question the truth that dental treatments and service is something that strikes concern from the hearts and minds of numerous. However, with a certain amount of knowledge and insight, obtaining dental hygiene which helps you rest easy and with out ache is one thing in everyone’s get to. Please read on to discover tips on how to look for a attention company which fits the requirements of your complete family members.
[url=http://www.ksps.info/css/director.asp?list=228-Kamagra-Gel-CosÃ¨-Cialis-Farmacia-Italiana-Trovare-Viagra-Milano]Kamagra Gel Cos’Ã¨[/url]
Negative thoughts can be a downward spiral if you are frustrated. If you are already feeling on life, those feelings will keep you for the reason that design. Break the period by contemplating some thing positive. Beneficial feelings, even though difficult to do when you find yourself frustrated, can assist you split from it quicker.
[url=http://www.shrisaiiti.com/css/confuse.asp?maaa=191-Acquisto-Kamagra-Con-Paypal-Acquisto-Kamagra-Con-Postepay-Acquisto-Kamagra-Online-Italia]Acquisto Kamagra Con Paypal[/url]

can you take viagra at a young agehttp://viagraeiu.com – generic viagra
viagra ginseng interaction
[url=http://viagraeiu.com]viagra[/url]
does viagra help with high blood pressurebuy generic viagra
viagra in young males